A clearly defined area of doubt and uncertainty

Menu

IKE

Juniper SRX IPSec Quick Commands

Over the last couple of years, the company I work for has become more and more involved in looking after customer SRX firewalls, either as a managed service, or simply on a remote technical support basis. Quite a lot of those customers have IPSec tunnels numbering in the hundreds (the biggest has 850+ on an SRX240 cluster, which is approaching the 1000 tunnel limit supported by the SRX240 platform), and whilst that isn’t a huge number where models like the SRX3xxx or SRX54xxx line is concerned, it’s still a huge number to have to parse through and diagnose issues. As a consequence, I started saving simple Linux command combinations for parsing the SRX output, so what follows are Juniper SRX IPSec quick commands, which I’ll add too as time goes on.

Show IPsec Tunnels Based on Index Value

OK, so you’ve got 850 tunnels, of which 250 are related to one customer. You need to show detailed information for a report, or log purposes. First, run ‘show security ipsec security-associations | match <remote_peer_ip>’ (1.2.3.4) in my example –

sed ‘s/$/ detail/’ – Use sed to add ‘ detail’ onto the end of each line.

Show IPsec Phase 2 Tunnels Based on VPN Name

Using the example above, here’s a similar process for getting the same output, but based on IPSec VPN name. Run ‘show configuration security ipsec | display set | match <value>’ to get the IPSec Phase 2 tunnel information. For example –

Neat. I can’t tell you how many times those commands have saved me hours of tedious typing in a terminal!

Clearing IPSec Tunnels

Finally, here’s a last one which refreshes IPSec Phase 2 tunnels. Be careful with this, as it’s possible to do damage and interrupt tunnel traffic. Use the ‘show security ipsec security-associations | match <peer_ip>’ output to filter against the remote peer concerned.